DESOSA 2022

Wireshark

Wireshark is an open-source, cross-platform network packet analyser tool freely available. It is the most widely-used tool of its kind, with usage in both commercial and educational domains.

The Wireshark project, which started under the name Ethereal, was created in the late 1997s by Gerald Combs who needed a tool for tracking down network problems and wanted to learn more about networking 1. Several people saw the potential of Ethereal and started contributing protocol dissectors and patches. In 2006, the project was renamed to Wireshark, since Combs owned the rights to the code of Ethereal, but not the trademark. Wireshark finally arrived at version 1.0 in 2008. Combs continues to maintain the overall code of Wireshark and issue releases of new versions of the software. The product website lists almost 2000 additional contributing authors. 2

Wireshark is mostly known for spoofing networks, but in a professional context, it can be used as a debugging tool to troubleshoot a company’s internal network or to see if there are any people (devices/machines/etc.) in the network who shouldn’t be a part of it.

As the Covid-19 pandemic progressed, cyber attacks became more and more popular, especially targeting large businesses rather than small startups and individuals 3. That is not to say that the latter group was safe by any means, as ransomware and phishing attacks also caused some damage 4. Furthermore, DDOS attacks, man in the middle attacks, ARP spoofing, and port scanning can also be identified by analyzing network traffic. With the use of a tool such as Wireshark, such attacks can be spotted by monitoring the network, provided that you know what to look for. In addition, with Wireshark, network administrators and engineers can also evaluate a network’s performance and traffic management.

Features Source and Functionality 2: Wireshark is a data capturing program that “understands” the structure (encapsulation) of different networking protocols. It can parse and display the fields, along with their meanings as specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only capture packets on the types of networks that pcap supports.

Wireshark is very similar to tcpdump, but has a graphical front-end and integrated sorting and filtering options. Wireshark lets the user put network interface controllers into promiscuous mode (if supported by the network interface controller), so they can see all the traffic visible on that interface including unicast traffic not sent to that network interface controller’s MAC address.

Data can be captured “from the wire” from a live network connection or read from a file of already-captured packets. Live data can be read from different types of networks, including Ethernet, IEEE 802.11, PPP, and loopback. Captured network data can be browsed via a GUI, or via the terminal (command line) version of the utility, TShark. Captured files can be programmatically edited or converted via command-line switches to the “editcap” program. Data display can be refined using a display filter. Plug-ins can be created for dissecting new protocols. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the media flow can even be played. Raw USB traffic can be captured. Wireless connections can also be filtered as long as they traverse the monitored Ethernet. Various settings, timers, and filters can be set to provide the facility of filtering the output of the captured traffic.

References

  1. Wireshark. (2015). A brief history of Wireshark. Wireshark docs. Retrieved February 16, 2022, from https://www.wireshark.org/docs/wsug_html_chunked/ChIntroHistory.html ↩︎

  2. Wikimedia Foundation. (2022, February 13). Wireshark. Wikipedia. Retrieved February 16, 2022, from https://en.wikipedia.org/wiki/Wireshark ↩︎

  3. Interpol. (2020, August 4). Interpol report shows alarming rate of cyberattacks during COVID-19. Interpol news and events. Retrieved February 16, 2022, from https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19 ↩︎

  4. Patterson, D. (2021, May 19). Cybercrime is thriving during the pandemic, driven by surge in phishing and Ransomware. CBS News. Retrieved February 16, 2022, from https://www.cbsnews.com/news/ransomware-phishing-cybercrime-pandemic/ ↩︎

Project Site | Project Source

Authors

Marco Kaldenbach

Embedded Systems MSc student interested in programming languages and low-level programming

Paula Iacoban

Computer Science master student & tech enthusiast curious about spaceflight.

Kenrick Trip

Embedded Systems and Systems and Control MSc student interested in embedded control system implementations

Andrei Stefan

Computer Science MSc, Software Technology track, interested in game development and animation

Wireshark - Scalability

Introduction In his paper 1, André B. Bondi introduces the terms structural and load scalability as follows: “Structural scalability is the ability of a system to expand in a chosen dimension without major modifications to its architecture. Load scalability is the ability of a system to perform gracefully as the offered traffic increases”. In the following sections we analyze the structural scalability of Wireshark by focusing on its core, as well as dissectors and Lua API2, while the load scalability and power usage is studied by measuring Wireshark’s performance under a (simulated) high network throughput, and the effect of memory leaks on the space is considered at the end.
Wireshark
March 28, 2022

Wireshark - Quality and Evolution

Introduction Having seen Wireshark’s product vision and architecture, this essay will focus on the quality of the application and its evolution. Key quality attributes When it comes to quality and evolution, the qualities of Wireshark that stand out are compatibility, consistency, modularity, and robustness. Cross-platform compatibility and portability are ensured in the continuous integration/continuous deployment (CI/CD) pipeline, as it runs workflows on the three most popular OS architectures: Windows, macOs and Linux (Ubuntu).
Wireshark
March 21, 2022

Wireshark - From vision to architecture

While the previous post focused on the general, top-level view of Wireshark as a product and its goals and ethical implications, this time we will be taking a deep dive into its architecture. Everything from architectural style, to the C4 model1, and even the API will be discussed and analyzed. Main architectural style The Wireshark project consists of both a graphical user interface (GUI) as well as a command-line interface named TShark.
Wireshark
March 14, 2022

Wireshark - Product Vision and Problem Analysis

Whether you are a student learning about computer networks and protocols for the first time or a big tech company trying to find the source of a bug within the internal network, a method of capturing packets can prove indispensable. There are various means of accomplishing this task, such as tcpdump, WinDump, and others, but Wireshark stands out with its simple and stylish graphical user interface (GUI), easy to understand filters, and wide range of functionalities.
Wireshark
March 7, 2022

Contributions

Allow building with Qt without Xcode on macOS

wireshark

During the Wireshark build on macOS, it became clear that the full desktop version of XCode was required to build Wireshark. Since we did not have this installed and the fact that XCode requires over 60 GB of disk space, we started looking for alternatives. We found a way to build Qt without XCode. Since the full XCode desktop application was only required to build Qt, we could now build Wireshark with only XCode command-line tools that are only 2 GB. We opened an issue on Wireshark ourselves and started contributing to the codebase to change the macOS build process.

The Merge Request removes the requirement to install the full version of XCode as a dependency for running the build bash script on macOS. Instead, it checks if Qt is installed on the device since this is the root of the requirement for the XCode install. It is possible to build Qt without the full XCode with some extra work. The new build bash script will allow for this option.

if /usr/bin/xcodebuild -version 
    >/dev/null 2>&1; 
    then
    :
elif qmake --version >/dev/null 
    2>&1; 
    then
    :
else
    echo "Please install Xcode 
        first ... or build Qt 
        according to (link)"
open
Open PR

Remove sharkd's json newline restriction

wireshark

The Merge Request removes the restriction of having the json strings on a single line. Valid json string input would now also be:

{
 "jsonrpc": "2.0"
 , "id": 1
 , "method":"status"
}
{"jsonrpc": "2.0","id": 1, 
"method":"status"}{"jsonrpc": 
"2.0","id": 1,
"method":"status"
}
open
Open PR

Remove sharkd's json order restriction

wireshark

The Merge Request removes the restriction of the “method” root member needing to be in front of parameters of the specified method within the json string. A valid json string would now also be (on a single-line): {“jsonrpc”:“2.0”, “params”:{“file”:“info.pcapng”}, “id”:1, “method”:“load”}

open
Open PR